285 posts categorized "Retail" Feed

FTC Urged To Rule On Legality Of 'Secret Surveillance Scores' Used To Vary Prices By Each Online Shopper

Nobody wants to pay too much for a product. If you like online shopping, you may have been charged higher prices than your neighbors. Gizmodo reported:

"... researchers have documented and studied the use of so-called "surveillance scoring," the shadowy, but widely adopted practice of using computer algorithms that, in commerce, result in customers automatically paying different prices for the same product. The term also encompasses tactics used by employers and landlords to deny applicants jobs and housing, respectively, based on suggestions an algorithm spits out. Now experts allege that much of this surveillance scoring behavior is illegal, and they’re are asking the Federal Trade Commission (FTC) to investigate."

"In a 38-page petition filed last week, the Consumer Education Foundation (CEF), a California nonprofit with close ties to the group Consumer Watchdog, asked the FTC to explore whether the use of surveillance scores constitute “unfair or deceptive practices” under the Federal Trade Commission Act..."

The petition is part of a "Represent Consumers" (RC) program.

Many travelers have experienced dynamic pricing, where airlines vary fares based upon market conditions: when demand increases, prices go up; when demand decreases, prices go down. Similarly, when there are many unsold seats (e.g., plenty of excess supply), prices go down. But that dynamic pricing does not vary for each traveler.

Pricing by each person raises concerns of price discrimination. The legal definition of price discrimination in the United States:

"A seller charging competing buyers different prices for the same "commodity" or discriminating in the provision of "allowances" — compensation for advertising and other services — may be violating the Robinson-Patman Act... Price discriminations are generally lawful, particularly if they reflect the different costs of dealing with different buyers or are the result of a seller's attempts to meet a competitor's offering... There are two legal defenses to these types of alleged Robinson-Patman violations: (1) the price difference is justified by different costs in manufacture, sale, or delivery (e.g., volume discounts), or (2) the price concession was given in good faith to meet a competitor's price."

Airlines have wanted to extend dynamic pricing to each person, and "surveillance scores" seem perfectly suited for the task. The RC petition is packed with information which is instructive for consumers to learn about the extent of the business practices. First, the petition described the industry involved:

"Surveillance scoring starts with "analytics companies," the true number of which is unknown... these firms amass thousands or even tens of thousands of demographic and lifestyle data points about consumers, with the help of an estimated 121 data brokers and aggregators... The analytics firms use algorithms to categorize, grade, or assign a numerical value to a consumer based on the consumer’s estimated predicted behavior. That score then dictates how a company will treat a consumer. Consumers deemed to be less valuable are treated poorly, while consumers with better “grades” get preferential treatment..."

Second, the RC petition cited a study which identified 44 different types of proprietary surveillance scores used by industry participants to predict consumer behavior. Some of the score types (emphasis added):

"The Medication Adherence Score, which predicts whether a consumer is likely to follow a medication regimen; The Health Risk Score, which predicts how much a specific patient will cost an insurance company; The Consumer Profitability Score, which predicts which households may be profitable for a company and hence desirable customers; The Job Security Score, which predicts a person’s future income and ability to pay for things; The Churn Score, which predicts whether a consumer is likely to move her business to another company; The Discretionary Spending Index, which scores how much extra cash a particular consumer might be able to spend on non-necessities; The Invitation to Apply Score, which predicts how likely a consumer is to respond to a sales offer; The Charitable Donor Score, which predicts how likely a household is to make significant charitable donations; and The Pregnancy Predictor Score, which predicts the likelihood of someone getting pregnant."

It is important to note that the RC petition does not call for a halt in the collection of personal data about consumers. Rather, it asks the FTC, "to investigate and prohibit the targeting of consumers’ private data against them after it has been collected." Clarity is needed about what is, and is not, legal when consumers' personal data is used against them.

Third, the RC petition also cited published studies about pricing discrimination:

"An early seminal study of price discrimination published by researchers at Northeastern University in 2014 (Northeastern Price Discrimination Study) examined the pricing practices of e-commerce websites. The researchers developed a software-based methodology for measuring price discrimination and tested it with 300 real-world users who shopped on 16 popular e-commerce websites.37 Of ten different general retailers tested in 2014, only one –- Home Depot –- was confirmed to be engaging in price discrimination. Home Depot quoted prices to mobile-device users that were approximately $100 more than those quoted to desktop users.39 The researchers were unable to ascertain why... The Northeastern Price Discrimination Study also found that “human shoppers got worse bargains on a number of websites,”compared to an automated shopping browser that did not have any personal data trail associated with it,42 validating that Home Depot was considering shoppers’ personal data when setting prices online."

So, concerns about price discrimination aren't simply theory. Related to that, the RC petition cited its own research:

"... researchers at Northeastern University developed an online tool to “expose how websites personalize prices.” The Price Discrimination Tool (PDT) is a plug-in extension used on the Google Chrome browser that allows any Internet user to perform searches on five websites to see if the user is being charged a different price based on whatever information the companies have about that particular user. The PDT uses a remote computer server that is anonymous –- it has no personal data profile... The PDT then displays the price results from the human shopper’s search and those obtained by the remote anonymous computer server. Our own testing using the PDT revealed that Home Depot continues to offer different prices to human shoppers. For example, a search on Home Depot’s website for “white paint” reveals price discrimination. Of the 24 search results on the first page, Home Depot quoted us higher prices for six tubs of white paint than it quoted the anonymous computer... Our testing also revealed similar price discrimination on Home Depot’s website for light bulbs, toilet paper, toilet paper holders, caulk guns, halogen floor lamps and screw drivers... We also detected price discrimination on Walmart’s website using the PDT. Our testing revealed price discrimination on Walmart’s website for items such as paper towels, highlighters, pens, paint and toilet paper roll holders."

The RC petition listed examples: the Home Depot site quoted $59.87 for a five-gallon bucket of paint to the anonymous user, and $62.96 for the same product to a researcher. Another example: the site quoted $10.26 for a toilet-paper holder to the anonymous user, and $20.89 for the same product to a researcher -- double the price. Prices differences per person ranged from small to huge.

Besides concerns about price discrimination, the RC petition discussed "discriminatory customer service," and the data analytics firms allegedly involved:

"Zeta Global sells customer value scores that will determine, among other things, the quality of customer service a consumer receives from one of Zeta’s corporate clients. Zeta Global “has a database of more than 700 million people, with an average of over 2,500 pieces of data per person,” from which it creates the scores. The scores are based on data “such as the number of times a customer has dialed a call center and whether that person has browsed a competitor’s website or searched certain keywords in the past few days.” Based on that score, Zeta will recommend to its clients, which include wireless carriers, whether to respond to one customer more quickly than to others.

"Kustomer Inc.: Customer-service platform Kustomer Inc. uses customer value scores to enable retailers and other businesses to treat customer service inquiries differently..."

"Opera Solutions: describes itself as a “a global provider of advanced analytics software solutions that address the persistent problem of scaling Big Data analytics.” Opera Solutions generates customer value scores for its clients (including airlines, retailers and banks)..."

The petition cited examples of "discriminatory customer service," which include denied product returns, or customers shunted to less helpful customer service options. Plus, there are accuracy concerns:

"Considering that credit scores – the existence of which has been public since 1970 – are routinely based on credit reports found to contain errors that harm consumers’ financial standing,31 it is highly likely that Secret Surveillance Scores are based on inaccurate or outdated information. Since the score and the erroneous data upon which it relies are secret, there is no way to correct an error,32 assuming the consumer was aware of it."

Regular readers of this blog are already aware of errors in reports from credit reporting agencies. A copy of the RC petition is also available here (Adobe PDF, 3.2 Mbytes).

What immediately becomes clear while reading the petition is that massive amount of personal data collected about consumers to create several proprietary scores. Consumers have no way of knowing nor challenging the accuracy of the scores when they are used against them. So, not only has an industry risen which profits by acquiring and then selling, trading, analyzing, and/or using consumers' data; there is little to no accountability.

In other words, the playing field is heavily tilted for corporations and against consumers.

This is also a reminder why telecommunications companies fought hard for the repeal of broadband privacy and repeal of net neutrality, both of which the U.S. Federal Communications Commission (FCC) provided in 2017 under the leadership of FCC Chairman Ajit Pai, a Trump appointee. Repeal of the former consumer protection allows unrestricted collection of consumers' data, plus new revenue streams to sell the data collected to analytics firms, data brokers, and business partners.

Repeal of the second consumer protection allows internet and cable providers to price content using whatever criteria they choose. You see a rudimentary version of this pricing in a business practice called "zero rating." An example: streaming a movie via a provider's internet service counts against a data cap while the same movie viewed through the same provider's cable subscription does not. Yet, the exact same movie is delivered through the exact same cable (or fiber) internet connection.

Smart readers immediately realize that a possible next step includes zero ratings per-person. Streaming a movie might count against your data cap but not for your neighbor. Who would know? Oversight and consumer protections are needed.

What are your opinions of secret surveillance scores?


Walmart To Pay $282 Million To Settle Bribery Charges By Regulators In The United States

Walmart logo The U.S. Securities And Exchange Commission (SEC) announced on June 20th a settlement agreement to resolve charges that Walmart violated:

"... the Foreign Corrupt Practices Act (FCPA) by failing to operate a sufficient anti-corruption compliance program for more than a decade as the retailer experienced rapid international growth... According to the SEC’s order, Walmart failed to sufficiently investigate or mitigate certain anti-corruption risks and allowed subsidiaries in Brazil, China, India, and Mexico to employ third-party intermediaries who made payments to foreign government officials without reasonable assurances that they complied with the FCPA. The SEC’s order details several instances when Walmart planned to implement proper compliance and training only to put those plans on hold or otherwise allow deficient internal accounting controls to persist even in the face of red flags and corruption allegations."

Walmart agreed to pay more than $144 million to settle the SEC’s charges and about $138 million to resolve parallel criminal charges by the U.S. Department of Justice (DOJ), for a combined total of more than $282 million. The settlements cover activities by the retailer's foreign subsidiaries in Brazil, China, India, and Mexico.

United States Department of Justice logo The DOJ announcement on June 20th stated:

"According to Walmart’s admissions, from 2000 until 2011, certain Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption were aware of certain failures involving these controls, including relating to potentially improper payments to government officials in certain Walmart foreign subsidiaries, but nevertheless failed to implement sufficient controls that, among other things, would have ensured: (a) that sufficient anti-corruption-related due diligence was conducted on all third-party intermediaries (TPIs) who interacted with foreign officials; (b) that sufficient anti-corruption-related internal accounting controls concerning payments to TPIs existed; (c) that proof was required that TPIs had performed services before Walmart paid them; (d) that TPIs had written contracts that included anti-corruption clauses; (e) that donations ostensibly made to foreign government agencies were not converted to personal use by foreign officials; and (f) that policies covering gifts, travel and entertainment sufficiently addressed giving things of value to foreign officials and were implemented. Even though senior Walmart personnel responsible for implementing and maintaining the company’s internal accounting controls related to anti-corruption knew of these issues, Walmart did not begin to change its internal accounting controls related to anti-corruption to comply with U.S. criminal laws until 2011... In a number of instances, insufficiencies in Walmart’s anti-corruption-related internal accounting controls in these foreign subsidiaries were reported to senior Walmart employees and executives. The internal control failures allowed the foreign subsidiaries in Mexico, India, Brazil and China to open stores faster than they would have with sufficient internal accounting controls related to anti-corruption. Consequently, Walmart earned additional profits through these subsidiaries by opening some of its stores faster..."

So, to fast-track store openings company executives allegedly made secret payments to "third-party individuals" who passed the money on to specific government officials who approve permits. CBS News reported:

"... the payments to the intermediary were recorded as payments to a construction company, even though there were numerous "red flags" to indicate that the intermediary was actually a government official... The federal agreement does not identify the intermediary, but describes her in some detail: It says she became known inside Walmart Brazil as a "sorceress" or "genie" for her "ability to acquire permits quickly by 'sort(ing) things out like magic.' " The plea agreement also includes a provision barring the Brazilian subsidiary from making public claims or issuing press releases contradicting the facts outlined under the plea agreement."

United States Securities And Exchange Commission logo Walmart is not alone regarding FCPA violations. According to the SEC, several companies agreed to settlement agreements and payments during 2019:

Readers of this blog may remember, Fresenius paid $3.5 million last year to resolve HIPAA violations from 5 small data breaches during 2012. And, last week a whistleblower report discussed Cognizant's content moderation work as a Facebook subcontractor.

Notable companies with SEC settlement agreements and payments during 2018:


Facebook Announced New Financial Services Offering Available in 2020

On Tuesday, Facebook announced its first financial services offering which will be available in 2020:

"... we’re sharing plans for Calibra, a newly formed Facebook subsidiary whose goal is to provide financial services that will let people access and participate in the Libra network. The first product Calibra will introduce is a digital wallet for Libra, a new global currency powered by blockchain technology. The wallet will be available in Messenger, WhatsApp and as a standalone app — and we expect to launch in 2020... Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit..."

Long before the announcement, consumers crafted interesting nicknames for the financial service, such as #FaceCoin and #Zuckbucks. Good to see people with a sense of humor.

On a more serious topic, after multiple data breaches and privacy snafus at Facebook (plus repeated promises by CEO Zuckerberg that his company will do better), many people are understandably concerned about data security and privacy. Facebook's announcement also addressed security and privacy:

"... Calibra will have strong protections... We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior... We’ll also take steps to protect your privacy. Aside from limited cases, Calibra will not share account information or financial data with Facebook or any third party without customer consent. This means Calibra customers’ account information and financial data will not be used to improve ad targeting on the Facebook family of products. The limited cases where this data may be shared reflect our need to keep people safe, comply with the law and provide basic functionality to the people who use Calibra. Calibra will use Facebook data to comply with the law, secure customers’ accounts, mitigate risk and prevent criminal activity."

So, the new Calibra subsidiary promised that it won't share users' account information with Facebook's core social networking service, except when it will -- to "comply with the law." The announcement encourages interested persons to sign up for email updates. This leaves Calibra customers to trust Facebook's wall separating its business units. "Provide basic functionality to the people who use Calibra" sounds like a huge loophole to justify any data sharing.

Tech and financial experts quickly weighed in on the announcement and its promises. TechCrunch explained why Facebook created a new business subsidiary. After Calibra's Tuesday announcement:

"... critics started harping about the dangers of centralizing control of tomorrow’s money in the hands of a company with a poor track record of privacy and security. Facebook anticipated this, though, and created a subsidiary called Calibra to run its crypto dealings and keep all transaction data separate from your social data. Facebook shares control of Libra with 27 other Libra Association founding members, and as many as 100 total when the token launches in the first half of 2020. Each member gets just one vote on the Libra council, so Facebook can’t hijack the token’s governance even though it invented it."

TechCrunch also explained the risks to Calibra customers:

"... that leaves one giant vector for abuse of Libra: the developer platform... Apparently Facebook has already forgotten how allowing anyone to build on the Facebook app platform and its low barriers to “innovation” are exactly what opened the door for Cambridge Analytica to hijack 87 million people’s personal data and use it for political ad targeting. But in this case, it won’t be users’ interests and birthdays that get grabbed. It could be hundreds or thousands of dollars’ worth of Libra currency that’s stolen. A shady developer could build a wallet that just cleans out a user’s account or funnels their coins to the wrong recipient, mines their purchase history for marketing data or uses them to launder money..."

During the coming months, hopefully Calibra will disclose the controls it will implement on the developer platform to prevent abuses, theft, and fraud.

Readers wanting to learn more should read the Libra White Paper, which provides more details about the companies involved:

"The Libra Association is an independent, not-for-profit membership organization headquartered in Geneva, Switzerland. The association’s purpose is to coordinate and provide a framework for governance for the network... Members of the Libra Association will consist of geographically distributed and diverse businesses, nonprofit and multilateral organizations, and academic institutions. The initial group of organizations that will work together on finalizing the association’s charter and become “Founding Members” upon its completion are, by industry:

1. Payments: Mastercard, PayPal, PayU (Naspers’ fintech arm), Stripe, Visa
2. Technology and marketplaces: Booking Holdings, eBay, Facebook/Calibra, Farfetch, Lyft, Mercado Pago, Spotify AB, Uber Technologies, Inc.
3. Telecommunications: Iliad, Vodafone Group
4. Blockchain: Anchorage, Bison Trails, Coinbase, Inc., Xapo Holdings Limited
5. Venture Capital: Andreessen Horowitz, Breakthrough Initiatives, Ribbit Capital, Thrive Capital, Union Square Ventures
6. Nonprofit and multilateral organizations, and academic institutions: Creative Destruction Lab, Kiva, Mercy Corps, Women’s World Banking"

Yes, the ride-hailing company, Uber, is involved. Yes, the same ride-hailing service which which paid $148 million to settle lawsuits and a coverup from a data breach in 2016. Yes, the same ride-hailing service with a history of data security, compliance, cultural, and privacy snafus. This suggests -- for better or worse -- that in the future consumers will be able to pay for Uber rides using the Libra Network.

Calibra hopes to have about 100 members in the Libra Association by the service launch in 2020. Clearly, there will be plenty more news to come. Below are draft screen images of the new app.

Early version of screen images of the Calibra mobile app. Click to view larger version


How Google Tracks All Of Your Online Purchases. Its Reasons Are Unclear

Google tracks all of your online purchases. How? ExpressVPN reported:

"Initially stumbled across by a CNBC reporter, a "Google Purchases" page keeps track of all digital receipts sent to your Gmail account from as far back as 2012. The page is not limited to purchases made directly from Google, either. From flight tickets to Amazon purchases to food delivery services, if the receipt went to your Gmail, it’s on the list. Google takes the name, date, and other specifics surrounding the purchase and records them in a list on the page."

The tracking is a reminder of the special place Internet service providers (ISPs) enjoy with access to all of users' online activities. Consumers' purchase receipts can include very sensitive information such as foods, medicine, and medical devices -- for parents and/or their children; or bookings for upcoming travel indicating when a home will be vacant; or purchases of medical marijuana, D-I-Y guns, and/or internet-connected adult toys. The bottom line: some consumers may not want their purchase data collected (nor shared with other companies by Google).

Now that you're aware of the tracking, something to consider the next time a cashier at a brick-and-mortar retail store asks: paper or email receipt? I always choose paper. You might, too.

To view your Google Purchase page, visit http://myaccount.google.com/purchases and sign in. Only you can view your purchases page.

Privacy solutions appear ugly. One option is to switch to an email provider that doesn't track you. If you decide to stay with Gmail, the only fix is a manual process which will cost you several hours or days to wade through your archive and delete emails:

"... the only way to remove a purchase from the list is to find and manually delete the email that contains the original receipt. Worse still, you can’t turn off tracking, and there’s no way to delete the list en masse. This process is incredibly tedious... Even more perplexing is that there’s no clear purpose for the collection of this data... the logic behind this reasoning is strange, the info is hiding in Google’s Account page, and it’s not exactly easy to access for users who want to “view and keep track of purchases.” And seeing as this page isn’t really being promoted to its users..."

Google said it is doing more for its customers regarding privacy. Last month, The Washington Post reported:

"... One executive after another at Google’s I/O conference in its hometown of Mountain View, California emphasized new privacy settings in products like search, maps, thermostats and updated mobile phone software. "We strongly believe that privacy and security are for everyone, not just a few," Google CEO Sundar Pichai said.

Said product manager Stephanie Cuthbertson, who introduced a new version of the Android mobile operating system: "You should always be in control of what you share and who you share it with."... Google also committed to improved privacy controls of its Nest-connected home devices, including the ability of users to delete their audio files. Some users have reported having hackers eavesdropping through their Nest devices."

Hmmm. It seems more privacy and control does not extend to Gmail users' purchase data. What are your opinions?

[Editor's note: this page was revised Monday evening to fix a typo and to include the link the Google Purchases page.]


The Worst Mobile Apps For Privacy

ExpressVPN compiled its list for 2019 of the four worst mobile apps for privacy. If you value your online privacy and want to protect yourself, the security firm advises consumers to, "Delete them now." The list of apps includes both predictable items and some surprises:

"1. Angry Birds: If you were an international spying organization, which app would you target to harvest smartphone user information? If you picked Angry Birds, congratulations! You’re thinking just like the NSA and GCHQ did... what it lacks in gameplay, it certainly makes up for in leaky data... A mobile ad platform placed a code snippet in Angry Birds that allowed the company to target advertisements to users based on previously collected information. Unfortunately, the ad’s library of data was visible, meaning it was leaking user information such as phone number, call logs, location, political affiliation, sexual orientation, and marital status..."

"2. The YouVersion Bible App: The YouVersion Bible App is on more than 300 million devices around the world. It claims to be the No. 1 Bible app and comes with over 1,400 Bibles in over 1,000 languages. It also harvests data... Notable permissions the app demands are full internet access, the ability to connect and disconnect to Wi-Fi, modify stored content on the phone, track the device’s location, and read all a user’s contacts..."

Read the full list of sketchy apps at the ExpressVPN site.


'Software Pirates' Stole Apple Tech To Distribute Hacked Mobile Apps To Consumers

Prior news reports highlighted the abuse of Apple's corporate digital certificates. Now, we learn that this abuse is more widespread than first thought. CNet reported:

"Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps... The altered versions of Spotify, Angry Birds, Pokemon Go and Minecraft make paid features available for free and remove in-app ads... The pirates appear to have figured out how to use digital certs to get around Apple's carefully policed App Store by saying the apps will be used only by their employees, when they're actually being distributed to everyone."

So, bad actors abuse technology intended for a company's employees to distribute apps directly to consumers. Software pirates, indeed.

To avoid paying for hacked apps, consumers need to shop wisely from trusted sites. A fix is underway. According to CNet:

"Apple will reportedly take steps to fight back by requiring all app makers to use its two-factor authentication protocol from the end of February, so logging into an Apple ID will require a password and code sent to a trusted Apple device."

Let's hope that fix is sufficient.


Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


Companies Want Your Location Data. Recent Examples: The Weather Channel And Burger King

Weather Channel logo It is easy to find examples where companies use mobile apps to collect consumers' real-time GPS location data, so they can archive and resell that information later for additional profits. First, ExpressVPN reported:

"The city of Los Angeles is suing the Weather Company, a subsidiary of IBM, for secretly mining and selling user location data with the extremely popular Weather Channel App. Stating that the app unfairly manipulates users into enabling their location settings for more accurate weather reports, the lawsuit affirms that the app collects and then sells this data to third-party companies... Citing a recent investigation by The New York Times that revealed more than 75 companies silently collecting location data (if you haven’t seen it yet, it’s worth a read), the lawsuit is basing its case on California’s Unfair Competition Law... the California Consumer Privacy Act, which is set to go into effect in 2020, would make it harder for companies to blindly profit off customer data... This lawsuit hopes to fine the Weather Company up to $2,500 for each violation of the Unfair Competition Law. With more than 200 million downloads and a reported 45+ million users..."

Long-term readers remember that a data breach in 2007 at IBM Inc. prompted this blog. It's not only internet service providers which collect consumers' location data. Advertisers, retailers, and data brokers want it, too.

Burger King logo Second, Burger King ran last month a national "Whopper Detour" promotion which offered customers a once-cent Whopper burger if they went near a competitor's store. News 5, the ABC News affiliate in Cleveland, reported:

"If you download the Burger King mobile app and drive to a McDonald’s store, you can get the penny burger until December 12, 2018, according to the fast-food chain. You must be within 600 feet of a McDonald's to claim your discount, and no, McDonald's will not serve you a Whopper — you'll have to order the sandwich in the Burger King app, then head to the nearest participating Burger King location to pick it up. More information about the deal can be found on the app on Apple and Android devices."

Next, the relevant portions from Burger King's privacy policy for its mobile apps (emphasis added):

"We collect information you give us when you use the Services. For example, when you visit one of our restaurants, visit one of our websites or use one of our Services, create an account with us, buy a stored-value card in-restaurant or online, participate in a survey or promotion, or take advantage of our in-restaurant Wi-Fi service, we may ask for information such as your name, e-mail address, year of birth, gender, street address, or mobile phone number so that we can provide Services to you. We may collect payment information, such as your credit card number, security code and expiration date... We also may collect information about the products you buy, including where and how frequently you buy them... we may collect information about your use of the Services. For example, we may collect: 1) Device information - such as your hardware model, IP address, other unique device identifiers, operating system version, and settings of the device you use to access the Services; 2) Usage information - such as information about the Services you use, the time and duration of your use of the Services and other information about your interaction with content offered through a Service, and any information stored in cookies and similar technologies that we have set on your device; and 3) Location information - such as your computer’s IP address, your mobile device’s GPS signal or information about nearby WiFi access points and cell towers that may be transmitted to us..."

So, for the low, low price of one hamburger, participants in this promotion gave RBI, the parent company which owns Burger King, perpetual access to their real-time location data. And, since RBI knows when, where, and how long its customers visit competitors' fast-food stores, it also knows similar details about everywhere else you go -- including school, work, doctors, hospitals, and more. Sweet deal for RBI. A poor deal for consumers.

Expect to see more corporate promotions like this, which privacy advocates call "surveillance capitalism."

Consumers' real-time location data is very valuable. Don't give it away for free. If you decide to share it, demand a fair, ongoing payment in exchange. Read privacy and terms-of-use policies before downloading mobile apps, so you don't get abused or taken. Opinions? Thoughts?


The Privacy And Data Security Issues With Medical Marijuana

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.


Samsung Phone Owners Unable To Delete Facebook And Other Apps. Anger And Privacy Concerns Result

Some consumers have learned that they can't delete Facebook and other mobile apps from their Samsung smartphones. Bloomberg described one consumer's experiences:

"Winke bought his Samsung Galaxy S8, an Android-based device that comes with Facebook’s social network already installed, when it was introduced in 2017. He has used the Facebook app to connect with old friends and to share pictures of natural landscapes and his Siamese cat -- but he didn’t want to be stuck with it. He tried to remove the program from his phone, but the chatter proved true -- it was undeletable. He found only an option to "disable," and he wasn’t sure what that meant."

Samsung phones operate using Google's Android operating system (OS). The "chatter" refers to online complaints by Samsung phone owners. There were plenty of complaints, ranging from snarky:

To informative:

And:

Some persons shared their (understandable) anger:

One person reminded consumers of bigger issues with Android OS phones:

And, that privacy concern still exists. Sophos Labs reported:

"Advocacy group Privacy International announced the findings in a presentation at the 35th Chaos Computer Congress late last month. The organization tested 34 apps and documented the results, as part of a downloadable report... 61% of the apps tested automatically tell Facebook that a user has opened them. This accompanies other basic event data such as an app being closed, along with information about their device and suspected location based on language and time settings. Apps have been doing this even when users don’t have a Facebook account, the report said. Some apps went far beyond basic event information, sending highly detailed data. For example, the travel app Kayak routinely sends search information including departure and arrival dates and cities, and numbers of tickets (including tickets for children)."

After multiple data breaches and privacy snafus, some Facebook users have decided to either quit the Facebook mobile app or quit the service entirely. Now, some Samsung phone users have learned that quitting can be more difficult, and they don't have as much control over their devices as they thought.

How did this happen? Bloomberg explained:

"Samsung, the world’s largest smartphone maker, said it provides a pre-installed Facebook app on selected models with options to disable it, and once it’s disabled, the app is no longer running. Facebook declined to provide a list of the partners with which it has deals for permanent apps, saying that those agreements vary by region and type... consumers may not know if Facebook is pre-loaded unless they specifically ask a customer service representative when they purchase a phone."

Not good. So, now we know that there are two classes of mobile apps: 1) pre-installed and 2) permanent. Pre-installed apps come on new devices. Some pre-installed apps can be deleted by users. Permanent mobile apps are pre-installed apps which cannot be removed/deleted by users. Users can only disable permanent apps.

Sadly, there's more and it's not only Facebook. Bloomberg cited other agreements:

"A T-Mobile US Inc. list of apps built into its version of the Samsung Galaxy S9, for example, includes the social network as well as Amazon.com Inc. The phone also comes loaded with many Google apps such as YouTube, Google Play Music and Gmail... Other phone makers and service providers, including LG Electronics Inc., Sony Corp., Verizon Communications Inc. and AT&T Inc., have made similar deals with app makers..."

This is disturbing. There seem to be several issues:

  1. Notice: consumers should be informed before purchase of any and all phone apps which can't be removed. The presence of permanent mobile apps suggests either a lack of notice, notice buried within legal language of phone manufacturers' user agreements, or both.
  2. Privacy: just because a mobile app isn't running doesn't mean it isn't operating. Stealth apps can still collect GPS location and device information while running in the background; and then transmit it to manufacturers. Hopefully, some enterprising technicians or testing labs will verify independently whether "disabled" permanent mobile apps have truly stopped working.
  3. Transparency: phone manufacturers should explain and publish their lists of partners with both pre-installed and permanent app agreements -- for each device model. Otherwise, consumers cannot make informed purchase decisions about phones.
  4. Scope: the Samsung-Facebook pre-installed apps raises questions about other devices with permanent apps: phones, tablets, laptops, smart televisions, and automotive vehicles. Perhaps, some independent testing by Consumer Reports can determine a full list of devices with permanent apps.
  5. Nothing is free. Pre-installed app agreements indicate another method which device manufacturers use to make money, by collecting and sharing consumers' data with other tech companies.

The bottom line is trust. Consumers have more valid reasons to distrust some device manufacturers and OS developers. What issues do you see? What are your thoughts about permanent mobile apps?


Dirty Tricks By Some Sellers At Amazon To Eliminate Competitors. Is Its Resolution System The Best Amazon Can Do?

Amazon logo Many consumers like shopping at Amazon.com. What you may not realize are the dirty tricks and scams among some sellers -- the individuals and firms who provide the products you purchase at the site. The Verge reported:

"When you buy something on Amazon, the odds are, you aren’t buying it from Amazon at all... They are largely hidden from customers, but behind any item for sale, there could be dozens of sellers, all competing for your click. This year, Marketplace sales were almost double those of Amazon retail itself, according to Marketplace Pulse, making the seller platform alone the largest e-commerce business in the US... "

Reportedly, there are 6 million sellers in Amazon Marketplace. So, there's plenty of competition. The Verge article described one dirty track where a seller posted posted bogus 5-star reviews on a competitor's page within the site. When the bogus reviews were removed, the targeted seller was accused of falsely manipulating buyers' reviews -- a violation of the site's rules -- and suspended. The Verge described several attacks by scammers. Here's another:

"Scammers have effectively weaponized Amazon’s anti-counterfeiting program. Attacks have become so widespread that they’ve even pulled in the US Patent and Trademark Office... Scammers had begun swapping out the email addresses on their rival’s trademark files, which can be done without a password, and using the new email to register their competitor’s brand with Amazon, gaining control of their listings... Amazon appears not to check whether a listing belongs to a brand already enrolled in brand registry..."

No online shopper wants to buy products from a seller who has fraudulently taken over a valid seller's trademarks.

Punishment is harsh for violators within Amazon Marketplace: suspension, monies frozen, de-listed from the site, and unable to sell products online. If the suspension lasts long enough or if reinstatement doesn't happen fast enough, bankruptcy can result. And all of this happens behind the scenes unbeknownst to customers:

"For sellers, Amazon is a quasi-state. They rely on its infrastructure — its warehouses, shipping network, financial systems, and portal to millions of customers — and pay taxes in the form of fees. They also live in terror of its rules, which often change and are harshly enforced... Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says... Amazon already has something like a judicial system — one that is secretive, volatile, and often terrifying. Amazon’s judgments are so severe that its own rules have become the ultimate weapon in the constant warfare of Marketplace. Sellers devise all manner of intricate schemes to frame their rivals... They impersonate, copy, deceive, threaten, sabotage, and even bribe Amazon employees for information on their competitors."

So, rather than using the established, well-documented public courts and legal system, this happens secretly within a corporation's processes with some unintended consequences:

"... what’s a seller to do when they end up in Amazon court? They can turn to someone like Cynthia Stine, who is part of a growing industry of consultants who help sellers navigate the ruthless world of Marketplace and the byzantine rules by which Amazon governs it. They are like lawyers, only their legal code is the Amazon Terms of Service, their court is a secretive and semi-automated corporate bureaucracy..."

How byzantine? Consider:

"Many sellers can’t even figure out what Amazon is accusing them of. A suspension message will typically list an item along with a broad and tangentially related category of an infraction, like "used sold as new." Understandably, sellers respond by sending invoices that show that the items are, in fact, new. Actually, Stine says, the suspension usually has nothing to do with the item being used, but with something like a peeling label on the box. “The thing Amazon wants you to fix is the buyer perception,” Stine says... JC Hewitt, whose law firm frequently works with Amazon sellers, calls the system’s mandatory guilty pleas, arbitrary verdicts, and obscure language "a Kafkaesque bureaucracy with bad writing." Inscrutable rulings emerge as if from a black box. The Performance team, which handles suspensions, has no phone number; there’s no one to ask for clarification. The only way to interact with them is by filing an appeal, and when it’s rejected, sellers often have no idea why... The secrecy can be so frustrating that sellers have traveled to Seattle or Amazon’s London office to try to find a human, to no avail..."

Huh? What? I'll bet many Amazon customers don't know this. And the system seems to use a poor balance of automation and humans:

"... there were likely humans reading [a seller's] appeal, but they’re part of a highly automated bureaucracy, according to former Amazon employees. An algorithm flags sellers based on a range of metrics — customer complaints, number of returns, certain keywords used in reviews, and other, more mysterious variables — and passes them to Performance workers based in India, Costa Rica, and other locations. These workers choose between several prewritten blurbs to send to sellers. They may see what the actual problem is or the key item missing from an appeal, but they can’t be more specific than the forms allow... The Performance workers’ incentives favor rejection. They must process approximately one claim every four minutes, and reinstating someone who later gets suspended again counts against them..."

Is this the best system possible? Probably not. I hope not. My guess is many Amazon Prime customers would prefer a better system to resolve disputes between sellers. My guess is that most shoppers would want to avoid using sellers who abuse or frame other sellers. And no shoppers want to buy from a seller who has fraudulently taken over another seller's trademarks.

The situation raises several issues:

  • A private court system prevents amazon customers from knowing about and avoiding shopping at sellers who abuse or frame other sellers
  • A private court system prevents external reviews and/or oversight by independent parties
  • An algorithm-based system may save money, but a poor balance of humans and automation causes problems. Is this the best system possible?
  • Amazon determines what's in its customers' best interests (versus disclosure and then feedback from customers)
  • There seem to be few penalties for sellers who frame or setup other sellers. What fix is underway?
  • The current system smells like a bloated monopoly. With some transparency and input, a better system seems possible... preferred.

What are your opinions? What issues do you see? Is a private court system a good thing?


Amazon Said Its Data Breach Was Due To A "Technical Error" And Discloses Few Breach Details

Amazon logo Amazon.com, the online retail giant, confirmed that it experienced a data breach last Wednesday. CBS News reported:

"Amazon said a technical error on its website exposed the names and email addresses of some customers. The online retail giant its website and systems weren't hacked. "We have fixed the issue and informed customers who may have been impacted," said an Amazon spokesperson. An Amazon spokesman didn't answer additional questions, like how many people were affected or whether any of the information was stolen."

A check of the press center and blog sections with the Amazon.com site failed to find any mentions of the data breach. The Ars Technica blog posted the text of the breach notification email Amazon sent to affected users:

"From: Amazon.com
Sent: 21 November 2018 10:53
To: a--------l@hotmail.com
Subject: Important Information about your Amazon.com Account

Hello,
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,
Customer Service
http://Amazon.com"

What? That's all? No link to a site or to a page for customers with questions?

This incident is a reminder that several things can cause data breaches. It's not only when cyber-criminals break into an organization's computers or systems. Human error causes data breaches, too. In some breaches, employees collude with criminals. In some cases, sloppy data security by outsource vendors causes data breaches. Details matter.

Typically, organizations affected by data breaches hire external security agencies to conduct independent, post-breach investigations to learn important details: when the breach started, how exactly the breach happened, the list of data elements unauthorized users accessed/stole, what else may have happened that wasn't readily apparent when the incident was discovered, and key causal events leading up to the breach -- all so that a complete fix can be implemented, and so that it doesn't happen again.

Who made the "technical error?" Who discovered it? What caused it? How long did the error exist? Who fixed it? Were specialized skills or tools necessary? What changes were made so that it won't happen again? Amazon isn't saying. If management decided to skip a post-breach investigation, consumers deserve to know that and why, too.

Often, the breach starts long before it is discovered by the company, or by a security researcher. Often, the fix includes several improvements: software changes, employee training, and/or improved security processes with contractors.

So, all we know is that names and email addresses were accessed by unauthorized persons. If stolen, that is sufficient to do damage -- spam or phishing email messages, to trick victims into revealing sensitive personal (e.g., usernames, passwords, etc.) and payment (e.g., bank account numbers, credit card numbers, etc.) information. It is not too much to ask Amazon to share both breach details and the results of a post-breach investigation.

Executives at Amazon know all of this, so maybe it was a management decision not to share breach details nor a post-breach investigation -- perhaps, not wanting to risk huge Black Friday holiday sales. Then again, the lack of details could imply the breach was far worse than management wants to admit.

Either way, this is troublesome. It's all about trust. When details are shared, consumers can judge the severity of the breach, the completeness of the company's post-breach response, and ideally feel better about continuing to shop at the site. What do you  think?


Study: Most Consumers Fear Companies Will 'Go Too Far' With Artificial Intelligence Technologies

New research has found that consumers are conflicted about artificial intelligence (AI) technologies. A national study of 697 adults during the Spring of 2018 by Elicit Insights found:

"Most consumers are conflicted about AI. They know there are benefits, but recognize the risks, too"

Several specific findings:

  • 73 percent of survey participants (e.g., Strongly Agree, Agree) fear "some companies will go too far with AI"
  • 64 percent agreed (e.g., Strongly Agree, Agree) with the statement: "I'm concerned about how companies will use artificial intelligence and the information they have about me to engage with me"
  • "Six out of 10 Americans agree or strongly agree that AI will never be as good as human interaction. Human interaction remains sacred and there is concern with at least a third of consumers that AI won’t stay focused on mundane tasks and leave the real thinking to humans."

Many of the concerns center around control. As AI applications become smarter and more powerful, they are able to operate independently, without human -- users' -- authorization. When presented with several smart-refrigerator scenarios, the less control users had over purchases the fewer survey participants viewed AI as a benefit:

Smart refrigerator and food purchase scenarios. AI study by Elicit Insights. Click to view larger version

AI technologies can also be used to find and present possible matches for online dating services. Again, survey participants expressed similar control concerns:

Dating service scenarios. AI study by Elicit Insights. Click to view larger version

Download Elicit Insights' complete Artificial Intelligence survey (Adobe PDF). What are your opinions? Do you prefer AI applications that operate independently, or which require your authorization?


Whirlpool's Online Product Registration: Confidentiality and Privacy Concerns

Earlier this month, my wife and I relocated to a different city within the same state to live closer to our new, 14-month young grandson. During the move, we bought new home appliances -- a clothes washer and dryer, both made by Whirlpool -- which prompted today's blog post.

The packaging and operation instructions included two registration postcards with the model and serial numbers printed in the form. Nothing controversial about that. The registration cards included, "Other Easy Ways To Register," and listed both registration websites for the United States and Canada. I tried the online registration to see what improvements or benefits Whirlpool's United States registration site might offer over the old-school snail-mail method besides speed.

The landing page includes a form for the customer's contact information, product purchased information, and future purchase plans. Pretty standard stuff. Nothing alarming there. Near the bottom of the form and just above the "Complete Registration" button are links to Whirlpool's Terms & Conditions and Privacy policies. I read both and found some surprises.

First, the site uses inconsistent nomenclature: two different policy titles. The link says "Terms & Conditions" while the title of the actual policy page states, "Terms Of Use." Which is it? Inconsistent nomenclature can confuse users. Not good. Come on, Whirlpool! This is not hard. Good website usability includes the consistent use of the same page title, so uses know where they are going when they select a link, and that they've arrived at the expected destination.

Second, the Terms Of Use (well, I had to pick a title so it wold be clear for you) policy page lacks a date. This can be confusing, making it difficult to impossible for consumers to know and reference the exact document read; plus determine what, if any, changes were posted since the prior version. Not good. Come on Whirlpool! Add a publication date. It's not hard.

Third, the Terms Of Use policy contained this clause:

"Whirlpool Corporation welcomes your submissions; however, any information submitted, other than your personal information (for example, your name and e-mail address), to Whirlpool Corporation through this site is the exclusive property of Whirlpool Corporation and is considered NOT to be confidential. Whirlpool Corporation does not receive the submission in confidence or under any confidential or fiduciary relationship. Whirlpool Corporation may use the submission for any purpose without restriction or compensation."

So, the Terms of Use policy is both vague and clear at the same time. It was vague because it didn't list the exact data elements considered "personal information." Not good. This leaves consumers to guess. The policy lists only two data elements. What about the rest? Are all confidential, or only some? And if some, which ones? Here's the list I consider confidential: name, street address, country, phone number, e-mail address, IP address, device type, device model, device operating system, payment card information, billing address, and online credentials (should I create a profile at the Whirlpool site). Come on Whirlpool! Get it together and provide the complete list of data elements you consider "personal information." It's not hard.

Fourth, the Terms Of Use policy was also clear because the above sentences quoted made Whirlpool's intentions clear: submissions to the site other than "personal information" are not confidential and Whirlpool can do with them whatever it wants. Since the policy doesn't list which data elements are personal, one must assume all are.  Not good.

Next, I read Whirlpool's Privacy policy, and hoped that it would clarify things. Thankfully, a little good news. First, the Privacy policy listed a date: May 31, 2018. Second, more inconsistent site nomenclature: the page-bottom links across the site say "Privacy Policy" while the policy page title says "Privacy Statement." I selected the "Expand All" button to view the entire policy. Third, Whirlpool's Privacy Statement listed the items considered personal information:

"- Your contact information, such as your name, email address, mailing address, and phone number
- Your billing information, such as your credit card number and billing address
- Your Whirlpool account information, including your user name, account number, and a password
- Your product and ownership information
- Your preferences, such as product wish lists, order history, and marketing preferences"

This list is a good start. A simple link to this section from the Terms Of Use policy would do wonders to clarify things. However, Whirlpool collects some key data which it more freely collects and trades than "personal information." The Privacy Statement contains this clause:

"Whirlpool and its business partners and service providers may use a variety of technologies that automatically or passively collect information about how you interact with our Websites ("Usage Information"). Usage Information may include: (i) your IP address, which is a unique set of numbers assigned to your computer by your Internet Service Provider (ISP) (which, depending on your ISP, may be a different number every time you connect to the Internet); (ii) the type of browser and operating system you use; and (iii) other information about your online session, such as the URL you came from to get to our Websites and the date and time you visited our Websites."

And, the Privacy Statement mentions the use of several online tracking technologies:

"We use Local Shared Objects (LSOs) such as HTML5 or Flash on our Websites to store content information and preferences. Third parties with whom we partner to provide certain features on our Websites or to display advertising based upon your web browsing activity use LSOs such as HTML5 or Flash to collect and store information... Web beacons are tiny electronic image files that can be embedded within a web page or included in an e-mail message, and are usually invisible to the human eye. When we use web beacons within our web pages, the web beacons (also known as “clear GIFs” or “tracking pixels”) may tell us such things as: how many people are coming to our Websites, whether they are one-time or repeat visitors, which pages they viewed and for how long, how well certain online advertising campaigns are converting, and other similar Website usage data. When used in our e-mail communications, web beacons can tell us the time an e-mail was opened, if and how many times it was forwarded, and what links users click on from within the e- mail message."

While the "EU-US Privacy Shield" section of the privacy policy lists Whirlpool's European subsidiaries, and contains a Privacy Shield link to an external site listing the companies that are probably some of Whirlpool's service and advertising partners, the privacy policy really does not disclose all of the "third parties," "business partners," "service vendors," advertising partners, and affiliates Whirlpool shares data with. Consumers are left in the dark.

Last, the "Your Rights: Choice & Access" section of the privacy policy mentions the opt-out mechanism for consumers. While consumers can opt-out or cancel receiving marketing (e.g., promotional) messaging from Whirlpool, you can't opt-out of the data collection and archival. So, choice is limited.

Given this and the above concerns, I abandoned the product registration form. Yep. Didn't complete it. Maybe I will in the future after Whirlpool fixes things. Perhaps most importantly, today's blog post is a reminder for all consumers: always read companies' privacy and terms-of-use policies. Always. You never know what you'll find that is irksome. And, if you don't know how to read online polices, this blog has some tips and suggestions.


New York State Tells Charter To Leave Due To 'Persistent Non-Compliance And Failure To Live Up To Promises'

The New York State Public Service Commission (NYPSC) announced on Friday that it has revoked its approval of the 2016 merger agreement between Charter Communications, Inc. and Time Warner Cable, Inc. because:

"... Charter, doing business as Spectrum has — through word and deed — made clear that it has no intention of providing the public benefits upon which the Commission's earlier [merger] approval was conditioned. In addition, the Commission directed Commission counsel to bring an enforcement action in State Supreme Court to seek additional penalties for Charter's past failures and ongoing non-compliance..."

Charter, the largest cable provider in the State, provides digital cable television, broadband internet and VoIP telephone services to more than two million subscribers in in more than 1,150 communities. It provides services to consumers in Buffalo, Rochester, Syracuse, Albany and four boroughs in New York City: Manhattan, Staten Island, Queens and Brooklyn. The planned expansion could have increased to five million subscribers in the state.

Charter provides services in 41 states: Alabama, Arizona, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Wisconsin, and Wyoming.

A unit of the Department of Public Service, the NYPSC site described its mission, "to ensure affordable, safe, secure, and reliable access to electric, gas, steam, telecommunications, and water services for New York State’s residential and business consumers, while protecting the natural environment." Its announcement listed Spectrum's failures and non-compliance:

"1. The company’s repeated failures to meet deadlines;
2. Charter’s attempts to skirt obligations to serve rural communities;
3. Unsafe practices in the field;
4. Its failure to fully commit to its obligations under the 2016 merger agreement; and
5. The company’s purposeful obfuscation of its performance and compliance obligations to the Commission and its customers."

The announcement provided details:

"On Jan. 8, 2016, the Commission approved Charter’s acquisition of Time Warner. To obtain approval, Charter agreed to a number of conditions required by the Commission to advance the public interest, including delivering broadband speed upgrades to 100 Mbps statewide by the end of 2018, and 300 Mbps by the end of 2019, and building out its network to pass an additional 145,000 un-served or under-served homes and businesses in the State's less densely populated areas within four years... Despite missing every network expansion target since the merger was approved in 2016, Charter has falsely claimed in advertisements it is exceeding its commitments to the State and is on track to deliver its network expansion. This led to the NYPSC’s general counsel referring a false advertising claim to the Attorney General’s office for enforcement... By its own admission, Charter has failed to meet its commitment to expand its service network... Its failure to meet its June 18, 2018 target by more than 40 percent is only the most recent example. Rather than accept responsibility Charter has tried to pass the blame for its failure on other companies, such as utility pole owners..."

The NYPSC has already levied $3 million in fines against Charter. The latest action basically boots Charter out of the State:

"Charter is ordered to file within 60 days a plan with the Commission to ensure an orderly transition to a successor provider(s). During the transition process, Charter must continue to comply with all local franchises it holds in New York State and all obligations under the Public Service Law and the NYPSC regulations. Charter must ensure no interruption in service is experienced by customers, and, in the event that Charter does not do so, the NYPSC will take further steps..."

Of course, executives at Charter have a different view of the situation. NBC New York reported:

"In the weeks leading up to an election, rhetoric often becomes politically charged. But the fact is that Spectrum has extended the reach of our advanced broadband network to more than 86,000 New York homes and businesses since our merger agreement with the PSC. Our 11,000 diverse and locally based workers, who serve millions of customers in the state every day, remain focused on delivering faster and better broadband to more New Yorkers, as we promised..."


European Regulators Fine Google $5 Billion For 'Breaching EU Antitrust Rules'

On Wednesday, European anti-trust regulators fined Google 4.34 billion Euros (U.S. $5 billion) and ordered the tech company to stop using its Android operating system software to block competition. ComputerWorld reported:

"The European Commission found that Google has abused its dominant market position in three ways: tying access to the Play store to installation of Google Search and Google Chrome; paying phone makers and network operators to exclusively install Google Search, and preventing manufacturers from making devices running forks of Android... Google won't let smartphone manufacturers install Play on their phones unless they also make its search engine and Chrome browser the defaults on their phones. In addition, they must only use a Google-approved version of Android. This has prevented companies like Amazon.com, which developed a fork of Android it calls FireOS, from persuading big-name manufacturers to produce phones running its OS or connecting to its app store..."

Reportedly, less than 10% of Android phone users download a different browser than the pre-installed default. Less than 1% use a different search app. View the archive of European Commission Android OS documents.

Yesterday, the European Commission announced on social media:

European Commission tweet. Google Android OS restrictions graphic. Click to view larger version

European Commission tweet. Vestager comments. Click to view larger version

And, The Guardian newspaper reported:

"Soon after Brussels handed down its verdict, Google announced it would appeal. "Android has created more choice for everyone, not less," a Google spokesperson said... Google has 90 days to end its "illegal conduct" or its parent company Alphabet could be hit with fines amounting to 5% of its daily [revenues] for each day it fails to comply. Wednesday’s verdict ends a 39-month investigation by the European commission’s competition authorities into Google’s Android operating system but it is only one part of an eight-year battle between Brussels and the tech giant."

According to the Reuters news service, a third EU case against Google, involving accusations that the tech company's AdSense advertising service blocks users from displaying search ads from competitors, is still ongoing.


The DIY Revolution: Consumers Alter Or Build Items Previously Not Possible. Is It A Good Thing?

Recent advances in technology allow consumers to alter, customize, or build locally items previously not possible. These items are often referred to as Do-It-Yourself (DIY) products. You've probably heard DIY used in home repair and renovation projects on television. DIY now happens in some unexpected areas. Today's blog post highlights two areas.

DIY Glucose Monitors

Earlier this year, CNet described the bag an eight-year-old patient carries with her everywhere daily:

"... It houses a Dexcom glucose monitor and a pack of glucose tablets, which work in conjunction with the sensor attached to her arm and the insulin pump plugged into her stomach. The final item in her bag was an iPhone 5S. It's unusual for such a young child to have a smartphone. But Ruby's iPhone, which connects via Bluetooth to her Dexcom monitor, allowing [her mother] to read it remotely, illustrates the way technology has transformed the management of diabetes from an entirely manual process -- pricking fingers to measure blood sugar, writing down numbers in a notebook, calculating insulin doses and injecting it -- to a semi-automatic one..."

Some people have access to these new technologies, but many don't. Others want more connectivity and better capabilities. So, some creative "hacking" has resulted:

"There are people who are unwilling to wait, and who embrace unorthodox methods. (You can find them on Twitter via the hashtag #WeAreNotWaiting.) The Nightscout Foundation, an online diabetes community, figured out a workaround for the Pebble Watch. Groups such as Nightscout, Tidepool and OpenAPS are developing open-source fixes for diabetes that give major medical tech companies a run for their money... One major gripe of many tech-enabled diabetes patients is that the two devices they wear at all times -- the monitor and the pump -- don't talk to each other... diabetes will never be a hands-off disease to manage, but an artificial pancreas is basically as close as it gets. The FDA approved the first artificial pancreas -- the Medtronic 670G -- in October 2017. But thanks to a little DIY spirit, people have had them for years."

CNet shared the experience of another tech-enabled patient:

"Take Dana Lewis, founder of the open-source artificial pancreas system, or OpenAPS. Lewis started hacking her glucose monitor to increase the volume of the alarm so that it would wake her in the night. From there, Lewis tinkered with her equipment until she created a closed-loop system, which she's refined over time in terms of both hardware and algorithms that enable faster distribution of insulin. It has massively reduced the "cognitive burden" on her everyday life... JDRF, one of the biggest global diabetes research charities, said in October that it was backing the open-source community by launching an initiative to encourage rival manufacturers like Dexcom and Medtronic to open their protocols and make their devices interoperable."

Convenience and affordability are huge drivers. As you might have guessed, there are risks:

"Hacking a glucose monitor is not without risk -- inaccurate readings, failed alarms or the wrong dose of insulin distributed by the pump could have fatal consequences... Lewis and the OpenAPS community encourage people to embrace the build-your-own-pancreas method rather than waiting for the tech to become available and affordable."

Are DIY glucose monitors a good thing? Some patients think so as a way to achieve convenient and affordable healthcare solutions. That might lead you to conclude anything DIY is an improvement. Right? Keep reading.

DIY Guns

Got a 3-D printer? If so, then you can print your own DIY gun. How did this happen? How did the USA get to here? Wired explained:

"Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun... he drove back to Austin and uploaded the blueprints for the pistol to his website, Defcad.com... In the days after that first test-firing, his gun was downloaded more than 100,000 times. Wilson made the decision to go all in on the project, dropping out of law school at the University of Texas, as if to confirm his belief that technology supersedes law..."

The law intervened. Wilson stopped, took down his site, and then pursued a legal remedy:

"Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First."

So, now you... anybody with an internet connection and a 3-D printer (and a computer-controlled milling machine for some advanced parts)... can produce their own DIY gun. No registration required. No licenses nor permits. No training required. And, that's anyone anywhere in the world.

Oh, there's more:

"The Department of Justice's surprising settlement, confirmed in court documents earlier this month, essentially surrenders to that argument. It promises to change the export control rules surrounding any firearm below .50 caliber—with a few exceptions like fully automatic weapons and rare gun designs that use caseless ammunition—and move their regulation to the Commerce Department, which won't try to police technical data about the guns posted on the public internet. In the meantime, it gives Wilson a unique license to publish data about those weapons anywhere he chooses."

As you might have guessed, Wilson is re-launching his website, but this time with blueprints for more DIY weaponry besides pistols: AR-15 rifles and semi-automatic weaponry. So, it will be easier for people to skirt federal and state gun laws. Is that a good thing?

You probably have some thoughts and concerns. I do. There are plenty of issues and questions. Are DIY products a good thing? Who is liable? How should laws be upgraded? How can society facilitate one set of DIY products and not the other? What related issues do you see? Any other notable DIY products?


Adidas Announced A 'Potential' Data Breach Affecting Online Shoppers in the United States

Adidas announced on June 28 a "potential" data breach affecting an undisclosed number of:

"... consumers who purchased on adidas.com/US... On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers. Adidas is committed to the privacy and security of its consumers' personal data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers. adidas is working with leading data security firms and law enforcement authorities to investigate the issue..."

The preliminary breach investigation found that contact information, usernames, and encrypted passwords were exposed or stolen. So far, no credit card or fitness information of consumers was "impacted." The company said it is continuing a forensic review and alerting affected customers.

While the company's breach announcement did not disclose the number of affected customer, CBS News reported that hackers may have stolen data about millions of customers. Fox Business reported that the Adidas:

"... hack was reported weeks after Under Armour’s health and fitness app suffered a security breach, which exposed the personal data of roughly 150 million users. The revealed information included the usernames, hashed passwords and email addresses of MyFitnessPal users."

It is critical to remember that this June 28th announcement was based upon a preliminary investigation. A completed breach investigation will hopefully determine and disclose any additional data elements exposed (or stolen), how the hackers penetrated the company's computer systems, which systems were penetrated, whether any internal databases were damaged/corrupted/altered, the total number of customers affected, specific fixes implemented so this type of breach doesn't happen again, and descriptive information about the cyber criminals.

This incident is also a reminder to consumers to never reuse the same password at several online sites. Cyber criminals are persistent, and will use the same password at several sites to see where else they can get in. It is no relief that encrypted passwords were stolen, because we don't yet know if the encryption tools were also stolen (making it easy for the hackers to de-encrypt the passwords). Not good.

We also don't yet know what "contact information" means. That could be first name, last name, phone, street address, e-mail address, mobile phone numbers, or some combination. If e-mail addresses were stolen, then breach victims could also experience phishing attacks where fraudsters try to trick victims into revealing bank account, sign-in credentials, and other sensitive information.

If you received a breach notice from Adidas, please share it below while removing any sensitive, identifying information.


When "Unlimited" Mobile Plans Are Anything But

My apologies to readers for the 10-day gap in blog posts. I took a few days off to attend a high school reunion in another state. Time passes more quickly than you think. It was good to renew connections with classmates.

Speaking of connections, several telecommunications companies appear to either ignore or not know the meaning of "unlimited" for mobile internet access. 9To5mac reported:

"Not content with offering one ‘unlimited’ plan which isn’t, and a second ‘beyond unlimited’ plan which also isn’t, Verizon has now decided the solution to this is a third plan. The latest addition is called ‘above unlimited’ and, you guessed it, it’s not... The carrier has the usual get-out clause, claiming that all three plans really are unlimited, it’s just that they reserve the right to throttle your connection speed once you hit the stated, ah, limits."

Some of the mobile plans limit video to low-resolution formats. Do you prefer to watch in 2018 low-resolution video formatted to 2008 (or earlier)? I think not. Do you want your connection slowed after you reach a data download threshold? I think not.

I look forward to action by the U.S. Federal Trade Commission (FTC) to enforce the definition of "unlimited," since the "light-touch" regulatory approach by the Federal Communications Commission (FCC) means that the FCC has abandoned its duties regarding oversight of internet service providers.

Caveat emptor, or buyer beware, definitely applies. Wise consumers read the fine print before purchase of any online services.


FBI Warns Sophisticated Malware Targets Wireless Routers In Homes And Small Businesses

The U.S. Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) warning consumers and small businesses that "foreign cyber actors" have targeted their wireless routers. The May 25th PSA explained the threat:

"The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic... The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer... VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."

The "VPN" acronym usually refers to a Virtual Private Network. Why use the VPNfilter name for a sophisticated computer virus? Wired magazine explained:

"... the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities."

The FBI's PSA advised users to, a) reboot (e.g., turn off and then back on) their routers; b) disable remote management features which attackers could take over to gain access; and c) update their routers with the latest software and security patches. For routers purchased independently, security experts advise consumers to contact the router manufacturer's tech support or customer service site.

For routers leased or purchased from an internet service providers (ISP), consumers should contact their ISP's customer service or technical department for software updates and security patches. Example: the Verizon FiOS forums site section lists the brands and models affected by the VPNfilter malware, since several manufacturers produce routers for the Verizon FiOS service.

It is critical for consumers to heed this PSA. The New York Times reported:

"An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the [VPNfilter] malware... A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week. That group, which is also known as A.P.T. 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency... To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.” Now that the domain is under F.B.I. control, any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device..."

Readers wanting technical details about VPNfilter, should read the Talos Intelligence blog post.

When consumers contact their ISP about router software updates, it is wise to also inquire about security patches for the Krack malware, which the bad actors have used recently. Example: the Verizon site also provides information about the Krack malware.

The latest threat provides several strong reminders:

  1. The conveniences of wireless internet connectivity which consumers demand and enjoy, also benefits the bad guys,
  2. The bad guys are persistent and will continue to target internet-connected devices with weak or no protection, including devices consumers fail to protect,
  3. Wireless benefits come with a responsibility for consumers to shop wisely for internet-connected devices featuring easy, continual software updates and security patches. Otherwise, that shiny new device you recently purchased is nothing more than an expensive "brick," and
  4. Manufacturers have a responsibility to provide consumers with easy, continual software updates and security patches for the internet-connected devices they sell.

What are your opinions of the VPNfilter malware? What has been your experience with securing your wireless home router?